mirror of
https://github.com/google/nomulus.git
synced 2025-07-23 19:20:44 +02:00
Narrowly scope privileges for API service objects
------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=129099520
This commit is contained in:
parent
9de287378b
commit
37d30591ed
9 changed files with 65 additions and 158 deletions
|
@ -35,13 +35,13 @@ java_library(
|
|||
srcs = ["Modules.java"],
|
||||
visibility = ["//visibility:public"],
|
||||
deps = [
|
||||
":request",
|
||||
"//java/com/google/api/client/extensions/appengine/http",
|
||||
"//java/com/google/api/client/googleapis/auth/oauth2",
|
||||
"//java/com/google/api/client/googleapis/extensions/appengine/auth/oauth2",
|
||||
"//java/com/google/api/client/http",
|
||||
"//java/com/google/api/client/json",
|
||||
"//java/com/google/api/client/json/jackson2",
|
||||
"//java/com/google/common/base",
|
||||
"//third_party/java/appengine:appengine-api",
|
||||
"//third_party/java/dagger",
|
||||
"//java/google/registry/config",
|
||||
|
|
|
@ -1,27 +0,0 @@
|
|||
// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package google.registry.request;
|
||||
|
||||
import java.lang.annotation.Documented;
|
||||
import java.util.Set;
|
||||
import javax.inject.Qualifier;
|
||||
|
||||
/**
|
||||
* Dagger qualifier for the {@link Set} of OAuth2 scope strings used for authorization on APIs that
|
||||
* are connected to using a delegated user account (the serviceAccountUser in GoogleCredential).
|
||||
*/
|
||||
@Qualifier
|
||||
@Documented
|
||||
public @interface DelegatedOAuthScopes {}
|
|
@ -31,6 +31,7 @@ import com.google.appengine.api.urlfetch.URLFetchService;
|
|||
import com.google.appengine.api.urlfetch.URLFetchServiceFactory;
|
||||
import com.google.appengine.api.users.UserService;
|
||||
import com.google.appengine.api.users.UserServiceFactory;
|
||||
import com.google.common.base.Function;
|
||||
import dagger.Binds;
|
||||
import dagger.Module;
|
||||
import dagger.Provides;
|
||||
|
@ -40,6 +41,7 @@ import java.io.ByteArrayInputStream;
|
|||
import java.io.IOException;
|
||||
import java.util.Set;
|
||||
import javax.inject.Named;
|
||||
import javax.inject.Provider;
|
||||
import javax.inject.Singleton;
|
||||
|
||||
/** Dagger modules for App Engine services and other vendor classes. */
|
||||
|
@ -124,20 +126,41 @@ public final class Modules {
|
|||
@Module
|
||||
public static final class AppIdentityCredentialModule {
|
||||
@Provides
|
||||
static AppIdentityCredential provideAppIdentityCredential(@OAuthScopes Set<String> scopes) {
|
||||
return new AppIdentityCredential(scopes);
|
||||
static Function<Set<String>, AppIdentityCredential> provideAppIdentityCredential() {
|
||||
return new Function<Set<String>, AppIdentityCredential>() {
|
||||
@Override
|
||||
public AppIdentityCredential apply(Set<String> scopes) {
|
||||
return new AppIdentityCredential(scopes);
|
||||
}
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Dagger module causing Google APIs requests to be authorized with your GAE app identity.
|
||||
*
|
||||
* <p>You must also use the {@link AppIdentityCredential} module.
|
||||
* <p>You must also use the {@link AppIdentityCredentialModule}.
|
||||
*/
|
||||
@Module
|
||||
public abstract static class UseAppIdentityCredentialForGoogleApisModule {
|
||||
@Binds
|
||||
abstract HttpRequestInitializer provideHttpRequestInitializer(AppIdentityCredential credential);
|
||||
abstract Function<Set<String>, ? extends HttpRequestInitializer>
|
||||
provideHttpRequestInitializer(Function<Set<String>, AppIdentityCredential> credential);
|
||||
}
|
||||
|
||||
/**
|
||||
* Module indicating Google API requests should be authorized with JSON {@link GoogleCredential}.
|
||||
*
|
||||
* <p>This is useful when configuring a component that runs the registry outside of the App Engine
|
||||
* environment, for example, in a command line environment.
|
||||
*
|
||||
* <p>You must also use the {@link GoogleCredentialModule}.
|
||||
*/
|
||||
@Module
|
||||
public abstract static class UseGoogleCredentialForGoogleApisModule {
|
||||
@Binds
|
||||
abstract Function<Set<String>, ? extends HttpRequestInitializer>
|
||||
provideHttpRequestInitializer(Function<Set<String>, GoogleCredential> credential);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -160,6 +183,7 @@ public final class Modules {
|
|||
public static final class GoogleCredentialModule {
|
||||
|
||||
@Provides
|
||||
@Singleton
|
||||
static GoogleCredential provideGoogleCredential(
|
||||
HttpTransport httpTransport,
|
||||
JsonFactory jsonFactory,
|
||||
|
@ -172,6 +196,17 @@ public final class Modules {
|
|||
}
|
||||
}
|
||||
|
||||
@Provides
|
||||
static Function<Set<String>, GoogleCredential> provideScopedGoogleCredential(
|
||||
final Provider<GoogleCredential> googleCredentialProvider) {
|
||||
return new Function<Set<String>, GoogleCredential>() {
|
||||
@Override
|
||||
public GoogleCredential apply(Set<String> scopes) {
|
||||
return googleCredentialProvider.get().createScoped(scopes);
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* Provides a GoogleCredential that will connect to GAE using delegated admin access. This is
|
||||
* needed for API calls requiring domain admin access to the relevant GAFYD using delegated
|
||||
|
@ -183,14 +218,12 @@ public final class Modules {
|
|||
static GoogleCredential provideDelegatedAdminGoogleCredential(
|
||||
GoogleCredential googleCredential,
|
||||
HttpTransport httpTransport,
|
||||
@DelegatedOAuthScopes Set<String> scopes,
|
||||
@Config("googleAppsAdminEmailAddress") String googleAppsAdminEmailAddress) {
|
||||
return new GoogleCredential.Builder()
|
||||
.setTransport(httpTransport)
|
||||
.setJsonFactory(googleCredential.getJsonFactory())
|
||||
.setServiceAccountId(googleCredential.getServiceAccountId())
|
||||
.setServiceAccountPrivateKey(googleCredential.getServiceAccountPrivateKey())
|
||||
.setServiceAccountScopes(scopes)
|
||||
.setServiceAccountUser(googleAppsAdminEmailAddress)
|
||||
.build();
|
||||
}
|
||||
|
|
|
@ -1,24 +0,0 @@
|
|||
// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package google.registry.request;
|
||||
|
||||
import java.lang.annotation.Documented;
|
||||
import java.util.Set;
|
||||
import javax.inject.Qualifier;
|
||||
|
||||
/** Dagger qualifier for the {@link Set} of OAuth2 scope strings, used for API authorization. */
|
||||
@Qualifier
|
||||
@Documented
|
||||
public @interface OAuthScopes {}
|
Loading…
Add table
Add a link
Reference in a new issue